Web SpoofingSteve Newell • Mike Falcon Computer Security • CIS 4360

Web SpoofingIntroduction

“Phishing”

• Is a form of identity theft in which deception is used to trick

a user into revealing confidential information that has

economic value.

Web SpoofingIntroduction

Definition

• Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has

been created by a different person or organization.

• Web spoofing is a phishing scheme

Web Spoofing

• The Gartner group estimates the direct phishing-related loss to US banks and credit card issuers in the last year to be $1.2 billion.

Statistic

• Indirect losses are much higher, including customer service expenses and account replacement costs.

Web SpoofingChart

Web Spoofing

The goal of phishing is to deceive the user via the following ways:

• Deceiving a user into believing a message comes from a trusted source.

• Deceiving a user into believing that a web site is a trusted institution.

• Deceiving a spam filter to classify a phishing email is legitimate.

Phishing Technologies

Web Spoofing

Deceptive return address information- Attempts to appear as a trusted source

Fraudulent request for action- Prompts user to provide information.

Deceptive appearance

- Mimics visual target site

Deception

Web Spoofing

• Misleadingly named http://security.commerceflow.com will lead to http://phisher.com

• RedirectedIf the targeted company has an “open redirect”, then this can be used to redirect a legitimate URL to a phishing site.

Deceptive Links

Web Spoofing

• Obfuscated Using encoded characters to hide the destination address of a link. “abc” = "abc”

• Programmatically ObscuredUsing a scripting language such as Javascript to hide the destination of a link address. For example, using the mouse-over function.

Deceptive Links

Web Spoofing

Not possible to determine whether a connection to a site is secure by

looking at a lock icon in a browser:

• A lock icon by itself means only that the site has a certificate

• It is possible to get a browser to display a lock icon using a self-signed certificate

• A lock icon may be overlaid on top of the browser using the same technologies used to fake the URL bar

Deceptive Location

Web SpoofingInformation Flow Model

Web Spoofing

1. A deceptive message is sent from the phisher to the user.

2. A user provides confidential information to a phishing server (normally after some interaction with the server).

3. The phisher obtains the confidential information from the server.

4. The confidential information is used to impersonate the user.

5. The phisher obtains illicit monetary gain.

Information Flow Model

Web Spoofing

Preventing phishing attacks: The average phishing site stays active no more

than 54 hours

• Pre-emptive domain registration

• “Holding period” for new domain registrations

• E-mail authentication could prevent forged or misleading email return addresses.

Prevention

Web SpoofingDefenses

Open Information – Allow different spam filters, e-mail clients, and browsers to exchange information about unsafe domains.

Warn The User – Alert the user when they attempt to click on an obfuscated link. Show the user the actual link, whether the site is trusted or not, and prompt the user whether or not the wish to continue with the link.

Defenses Against Early User Actions

Web Spoofing

Disrupting Data Transmission• Monitor Outgoing Data –

Implement a browser tool-bar that hashes information and checks if confidential information is being sent.

• Blacklisting – Block IP ranges of known phishing sites.

• Encryption – Encrypt sensitive information before transmission.

Defenses

Web SpoofingDefenses

Advanced Authentication

– Two-factor Authentication – Require proof of two out of three criteria (what you are, what you have, or what you know)

–Requires some sort of hardware or time sensitive information

–Use a checksum to verify that the information came from the users machine and not a phisher.

Web SpoofingCross-site Scripting

Cross-site scripting is inserting a malicious script inside a secure domain.

– A phisher could insert a malicious script inside of an auction or a product review to attack the user.

– The script would modify the host site so that the user believes he/she is interacting with the secure site.

– Difficult to write sufficient filter to remove cross-site scripting. How do you know if a script is malicious?

– Cross-site scripting could be hindered by introducing a <noscript> tag on user supplied content.

Web SpoofingExamples

Example 1http://www.msfirefox.com/http://www.msfirefox.net/

Example 2Florida Commerce Credit Union

Example 3Thomas Scott’s Parody

Unofficial siteOfficial site

Web SpoofingLeading Nations

Web Spoofing

• Current technology is unable to completely stop phishing and web spoofing.

• Improvements in security technology can drastically reduce the amount of phishing schemes.

Conclusion

Web Spoofing

Documentary Footage

Identity theft victims

Don’t let this happen to you.

Videos

Web Spoofing

ANY QUESTIONS?